PhishLabs IOC EIR

This integration was integrated and tested with V1.0 of PhishLabs IOC EIR api

Use Cases

  • Get live EIR from PhishLabs
  • Get EIR by filters from PhishLabs

Detailed Description

Phishlabs Email Incident Response (EIR) is a solution that protects against threats that make it past your email security stack and into your employee inboxes. With Email Incident Response, enterprises can detect, prevent, and respond to these threats.

  • Suspicious Email Analysis
  • Email Threat Intelligence

Configure PhishLabs IOC EIR on Demisto

  1. Navigate to Settings > Integrations Servers & Services .
  2. Search for PhishLabs IOC EIR.
  3. Click Add instance to create and configure a new integration instance.
    • Name : a textual name for the integration instance.
    • Server URL (e.g. https://example.net)
    • User
    • Fetch incidents
    • First fetch timestamp ( e.g., 12 hours, 7 days)
    • Fetch limit
    • Trust any certificate (not secure)
    • Use system proxy settings
  4. Click Test to validate the new instance.

Fetch Incidents

Fetch incidents done by the following configuration:

  • Fetch limit - limit amount of incidents by fetch
  • First fetch timestamp - date for starting collecting incidents (1 days ago, 1 hours ago etc)
  • Incident type
[
  {
    "name": "PhishLabs IOC - EIR: INC0528925",
    "occurred": "2019-10-15T16:31:09Z",
    "rawJSON": {
            "id": "INC0528925",
            "service": "EIR",
            "title": "Deploymentliste release 10.0 in PROD am 15.10.2019",
            "description": "",
            "status": "Closed",
            "details": {
                "caseType": "Response",
                "classification": "No Threat Detected",
                "subClassification": "No Threat Detected",
                "severity": null,
                "emailReportedBy": "johnnydepp@gmail.com",
                "submissionMethod": "Attachment",
                "sender": "johnnydepp@gmail.com",
                "emailBody": "Test",
                "urls": [
                    {
                        "url": "google.com",
                        "malicious": false,
                        "maliciousDomain": false
                    }
                ],
                "attachments": [],
                "furtherReviewReason": null,
                "offlineUponReview": false
            },
            "created": "2019-10-15T16:31:08Z",
            "modified": "2019-10-15T16:31:09Z",
            "closed": "2019-10-15T16:31:09Z",
            "duration": 0
        }
  }
]

Commands

You can execute these commands from the Demisto CLI, as part of an automation, or in a playbook. After you successfully execute a command, a DBot message appears in the War Room with the command details.

  1. phishlabs-ioc-eir-get-incidents
  2. phishlabs-ioc-eir-get-incident-by-id

1. phishlabs-ioc-eir-get-incidents


Get EIR incidents from PhishLabs-IOC EIR service (dafault limit 25 incidents)

Base Command

phishlabs-ioc-eir-get-incidents

Input
Argument Name Description Required
status Filter incidents that are opened or closed. Optional
created_after Return Incidents created on or after the given timestamp Timestamp is in RFC3339 format(2019-04-12T23:20:50Z) Optional
created_before Return Incidents created on or before the given timestamp Timestamp is in RFC3339 format(2019-04-12T23:20:50Z) Optional
closed_after Return Incidents closed on or after the given timestamp Timestamp is in RFC3339 format(2019-04-12T23:20:50Z) Optional
closed_before Return Incidents closed on or before the given timestamp Timestamp is in RFC3339 format(2019-04-12T23:20:50Z) Optional
sort Return Incidents sorted by the given column. Optional
direction Return Incidents sorted by the given order. This will be applied to the given sort parameter. Optional
limit Limit amounts of incidents (0-50, default 25) Optional
offset Offset from last incident Optional
period Period to query on 1 days, 2 hours Optional

Context Output
Path Type Description
PhishLabsIOC.EIR.CaseType String Incident reason type
PhishLabsIOC.EIR.Classification String Incident classification
PhishLabsIOC.EIR.SubClassification String Detailed classification
PhishLabsIOC.EIR.Severity String Incident severity
PhishLabsIOC.EIR.SubmissionMethod String Email submission method
PhishLabsIOC.EIR.FurtherReviewReason String Incident further review reason
PhishLabsIOC.EIR.ID String Id of incident
PhishLabsIOC.EIR.Title String Title of reported incident
PhishLabsIOC.EIR.Description String Description of reporeted incident
PhishLabsIOC.EIR.Status Boolean Status of reported incident
PhishLabsIOC.EIR.Created Date Date of incident creation
PhishLabsIOC.EIR.Modified Date Date of incident last modified
PhishLabsIOC.EIR.Closed Date Date of incident closing
PhishLabsIOC.EIR.Duration Number Duration until closing incident in seconds
PhishLabsIOC.EIR.EmailReportedBy String User who reported the incident
PhishLabsIOC.EIR.Email.EmailBody String Email body
PhishLabsIOC.EIR.Email.Sender String Email sender
PhishLabsIOC.EIR.Email.URL.URL String Url found in body
PhishLabsIOC.EIR.Email.URL.Malicious Boolean Is the url malicious?
PhishLabsIOC.EIR.Email.URL.MaliciousDomain Boolean Is the url domain malicious?
PhishLabsIOC.EIR.Email.Attachment.FileName String Name of the attached file
PhishLabsIOC.EIR.Email.Attachment.MimeType String Attachemt mime type
PhishLabsIOC.EIR.Email.Attachment.MD5 String Attachemt md5 hash
PhishLabsIOC.EIR.Email.Attachment.SHA256 String Attachemt sha256 hash
PhishLabsIOC.EIR.Email.Attachment.Malicious Boolean Is the file malicious?
Email.To String The recipient of the email.
Email.From String The sender of the email.
Email.Body/HTML String The plain-text version of the email.
File.Name String The full file name (including file extension).
File.SHA256 Unknown The SHA256 hash of the file.
File.MD5 String The MD5 hash of the file.
File.Malicious.Vendor String The vendor that reported the file as malicious.
File.Malicious.Description String A description explaining why the file was determined to be malicious.
URL.Data String The URL
URL.Malicious.Vendor String The vendor reporting the URL as malicious.
URL.Malicious.Description String A description of the malicious URL.
DBotScore.Indicator String The indicator that was tested.
DBotScore.Type String The indicator type.
DBotScore.Vendor String The vendor used to calculate the score.
DBotScore.Score String The actual score.

Command Example

!phishlabs-ioc-eir-get-incidents limit=3

Context Example
{
    "DBotScore": [
        {
            "Indicator": "https://google.com",
            "Score": 1,
            "Type": "URL",
            "Vendor": "PhishLabs IOC - EIR"
        }
    ],
    "Email": [
        {
            "Body/HTML": "Example body",
            "From": "LinkedIn Sales Navigator  not@domain.com",
            "To": "Michael Mammele not@domain.com"
        },
        {
            "Body/HTML": "Example body",
            "From": "Tony Prince not@domain.com",
            "To": "Tony Prince not@domain.com"
        },
        {
            "Body/HTML": "Example body",
            "From": "FileDoc2 not@domain.com",
            "To": "John LaCour not@domain.com"
        }
    ],
    "File": [],
    "PhishLabsIOC": {
        "EIR": [
            {
                "CaseType": "Link",
                "Classification": "No Threat Detected",
                "Closed": "2019-11-05T23:23:06Z",
                "Created": "2019-11-05T22:05:52Z",
                "Description": "",
                "Duration": 4635,
                "Email": {
                    "Attachment": [],
                    "EmailBody": "Example body",
                    "Sender": "LinkedIn Sales Navigator  not@domain.com",
                    "URL": [
                        {
                            "Malicious": false,
                            "MaliciousDomain": false,
                            "URL": "https://google.com"
                        }
                    ]
                },
                "EmailReportedBy": "Michael Mammele not@domain.com",
                "FurtherReviewReason": null,
                "ID": "INC0682881",
                "Modified": "2019-11-05T23:23:06Z",
                "Severity": null,
                "Status": "Closed",
                "SubClassification": "No Threat Detected",
                "SubmissionMethod": "Attachment",
                "Title": "See who else can influence your deals"
            }
    ]
}
Human Readable Output

PhishLabs IOC - EIR - incidents

ID Title Status Created Classification SubClassification EmailReportedBy
INC0682881 See who else can influence your deals Closed 2019-11-05T22:05:52Z No Threat Detected No Threat Detected Michael Mammele not@domain.com
INC0682040 FW: Tuesday, November 5, 2019 Closed 2019-11-05T20:30:48Z Malicious Link - Phishing Tony Prince not@domain.com
INC0681982 Tuesday, November 5, 2019 Closed 2019-11-05T20:25:22Z Malicious Link - Phishing John LaCour not@domain.com

2. phishlabs-ioc-eir-get-incident-by-id


Returns a single Incident based on the given ID.

Base Command

phishlabs-ioc-eir-get-incident-by-id

Input
Argument Name Description Required
incident_id ID of Incident, Get it from previous command Required

Context Output
Path Type Description
PhishLabsIOC.EIR.CaseType String Incident reason type
PhishLabsIOC.EIR.Classification String Incident classification
PhishLabsIOC.EIR.SubClassification String Detailed classification
PhishLabsIOC.EIR.Severity String Incident severity
PhishLabsIOC.EIR.SubmissionMethod String Email submission method
PhishLabsIOC.EIR.FurtherReviewReason String Incident further review reason
PhishLabsIOC.EIR.ID String Id of incident
PhishLabsIOC.EIR.Title String Title of reported incident
PhishLabsIOC.EIR.Description String Description of reporeted incident
PhishLabsIOC.EIR.Status Boolean Status of reported incident
PhishLabsIOC.EIR.Created Date Date of incident creation
PhishLabsIOC.EIR.Modified Date Date of incident last modified
PhishLabsIOC.EIR.Closed Date Date of incident closing
PhishLabsIOC.EIR.Duration Number Duration until closing incident in seconds
PhishLabsIOC.EIR.EmailReportedBy String User who reported the incident
PhishLabsIOC.EIR.Email.EmailBody String Email body
PhishLabsIOC.EIR.Email.Sender String Email sender
PhishLabsIOC.EIR.Email.URL.URL String Url found in body
PhishLabsIOC.EIR.Email.URL.Malicious Boolean Is the url malicious?
PhishLabsIOC.EIR.Email.URL.MaliciousDomain Boolean Is the url domain malicious?
PhishLabsIOC.EIR.Email.Attachment.FileName String Name of the attached file
PhishLabsIOC.EIR.Email.Attachment.MimeType String Attachemt mime type
PhishLabsIOC.EIR.Email.Attachment.MD5 String Attachemt md5 hash
PhishLabsIOC.EIR.Email.Attachment.SHA256 String Attachemt sha256 hash
PhishLabsIOC.EIR.Email.Attachment.Malicious Boolean Is the file malicious?
Email.To String The recipient of the email.
Email.From String The sender of the email.
Email.Body/HTML String The plain-text version of the email.
File.Name String The full file name (including file extension).
File.SHA256 Unknown The SHA256 hash of the file.
File.MD5 String The MD5 hash of the file.
File.Malicious.Vendor String The vendor that reported the file as malicious.
File.Malicious.Description String A description explaining why the file was determined to be malicious.
URL.Data String The URL
URL.Malicious.Vendor String The vendor reporting the URL as malicious.
URL.Malicious.Description String A description of the malicious URL.
DBotScore.Indicator String The indicator that was tested.
DBotScore.Type String The indicator type.
DBotScore.Vendor String The vendor used to calculate the score.
DBotScore.Score String The actual score.
Command Example

!phishlabs-ioc-eir-get-incident-by-id incident_id=INC0671150

Context Example
{
    "DBotScore": [
        {
            "Indicator": "https://google.com",
            "Score": 1,
            "Type": "URL",
            "Vendor": "PhishLabs IOC - EIR"
        }
    ],
    "Email": [
        {
            "Body/HTML": "Example body",
            "From": "LinkedIn Sales Navigator  not@domain.com",
            "To": "Michael Mammele not@domain.com"
        }
    ],
    "File": [],
    "PhishLabsIOC": {
        "EIR": [
            {
                "CaseType": "Link",
                "Classification": "No Threat Detected",
                "Closed": "2019-11-05T23:23:06Z",
                "Created": "2019-11-05T22:05:52Z",
                "Description": "",
                "Duration": 4635,
                "Email": {
                    "Attachment": [],
                    "EmailBody": "Example body",
                    "Sender": "LinkedIn Sales Navigator  not@domain.com",
                    "URL": [
                        {
                            "Malicious": false,
                            "MaliciousDomain": false,
                            "URL": "https://google.com"
                        }
                    ]
                },
                "EmailReportedBy": "Michael Mammele not@domain.com",
                "FurtherReviewReason": null,
                "ID": "INC0682881",
                "Modified": "2019-11-05T23:23:06Z",
                "Severity": null,
                "Status": "Closed",
                "SubClassification": "No Threat Detected",
                "SubmissionMethod": "Attachment",
                "Title": "See who else can influence your deals"
            }
    ]
}